The ICO published its draft guidance on data subject access requests (“DSAR(s)”). In seeking to discuss the right of access in detail, the draft guidance covers a number of topics including recognising DSARs; refusing to comply with a request; and what exemptions may apply.
The guidance sheds further light on the time to respond to DSARs, ‘complex’ DSARs and bulk requests.
What are DSARs:
Article 15 of the GDPR and section 45 of the Data Protection Act give an individual the right to obtain from an organisation a copy of their personal data and information on how it is processed.
It is a fundamental right for individuals and helps them understand how and why organisations are using their data. Since the GDPR came into effect, numerous sources suggest that individuals are becoming increasingly aware of their rights and how to exercise them. Accordingly, businesses are seeing an increase in the volume of DSARs and the guidance available from the ICO should help organisations deal with the additional requests.
In this piece, we have set out some of the key points for organisations to consider from the draft guidance.
As stated in previous guidance, the ICO confirms that there are no formal requirements for making a request and that requests may be made verbally, in writing (even on social media) and through third parties. As requests do not need to be directed at specific contacts within an organisation, the ICO suggests organisations consider specific training for public-facing staff to help identify DSARs and understand the next steps.
Considerations when responding to DSARs:
Time for response and ‘complex’ requests
Organisations will usually have a month to respond to a request unless a request is ‘complex’ or if the organisation has received numerous requests from the same individual, for example, simultaneous access, erasure and portability requests.
A ‘complex’ request may include situations where:
- there are technical difficulties in retrieving the information (for example, the data is electronically archived);
- an organisation is seeking to apply an exemption that involves large volumes of sensitive information; or
- specialist work is required in redacting information.
The guidance is clear that, while requests that involve large volumes of information may add to the complexity of a request, a request is not complex solely because of large volumes.
Archives, back-ups and emails
The guidance highlights that there is no ‘technology exemption’ from the right of access and organisations should have proper procedures in place to find and retrieve personal data that has been electronically archived or placed in back-up. The ICO suggests that organisations should have defined retention periods setting out how long such data is kept in archive or back-up.
The guidance states that information is deleted if an organisation has deleted personal information (as far as possible) and has no intention to access it. If the personal information satisfies this criteria, an organisation would not need to go to special efforts to recover this information to respond to a DSAR. However, the guidance is clear that emails that have been moved to a ‘Deleted items’ folder would not constitute ‘deleted information’ in this context.
Refusing to comply
An organisation can only refuse to comply with a DSAR on a case-by-case basis if it can demonstrate that a request is manifestly unfounded or excessive. The guidance clarifies where this may be the case:
- ‘manifestly unfounded’ includes circumstances where:
- an individual clearly has no intention to exercise their right of access; or
- a request is malicious and is used to harass an organisation to cause disruption;
- ‘excessive’ includes circumstances where a request:
- repeats the substance of previous requests and a reasonable interval has not elapsed; or
- overlaps with other requests.
The guidance is clear that previous manifestly unfounded or excessive requests cannot be used to designate present requests as such nor are requests necessarily excessive because they request a large amount of information.
Although the draft guidance generally consolidates previously published guidance, it does provide additional information and clarity as to what is expected of data controllers when dealing with DSARs.
Currently, the guidance is open for public and stakeholder consultation and the ICO is taking comments on the draft until 17:00 on 12 February 2020.